diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 1e92378a9..d49c74770 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -44,9 +44,9 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu - `matrix_synapse_enable_registration_captcha` - to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring_captcha.md) documentation. -- `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering +- `matrix_synapse_registrations_require_3pid` - a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering -- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality +- variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) - to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality - `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 254d70ee0..0fac0ef6d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3131,6 +3131,9 @@ exim_relay_sender_address: "matrix@{{ matrix_domain }}" # we can stop installing ma1sd. matrix_ma1sd_enabled: false +matrix_ma1sd_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" +matrix_ma1sd_hostname: "{{ matrix_server_fqn_matrix }}" + matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. @@ -3138,12 +3141,25 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # ma1sd's web-server port. matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_ma1sd_container_additional_networks: | - {{ - ( - ([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else []) - ) | unique - }} +matrix_ma1sd_container_network: "{{ matrix_addons_container_network }}" + +matrix_ma1sd_container_additional_networks_auto: | + {{ + ( + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + + + ([devture_postgres_container_network] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname and matrix_ma1sd_container_network != devture_postgres_container_network) else []) + + + ([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else []) + + + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_ma1sd_container_labels_traefik_enabled) else []) + ) | unique + }} + +matrix_ma1sd_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_ma1sd_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_ma1sd_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define @@ -3156,7 +3172,7 @@ matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" # The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case, # but may be inaccurate if matrix-corporal is enabled. -matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_addons_homeserver_client_api_url }}" # By default, we send mail through the exim relay service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ exim_relay_sender_address }}" @@ -3168,13 +3184,13 @@ matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_ matrix_ma1sd_systemd_required_services_list_auto: | {{ + matrix_addons_homeserver_systemd_services_list + + ([devture_postgres_identifier ~ '.service'] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname) else []) }} matrix_ma1sd_systemd_wanted_services_list_auto: | {{ - (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service']) - + ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier) else []) }} @@ -3304,10 +3320,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" - # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level. # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001 matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}" @@ -3349,10 +3361,6 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1: # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" - # OCSP stapling does not make sense when self-signed certificates are used. # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 @@ -3368,8 +3376,6 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + - (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) - + ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else []) + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) @@ -3498,9 +3504,7 @@ matrix_homeserver_proxy_client_api_client_max_body_size_mb: |- matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_federation_api_endpoint }}" -# matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" -# matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" -# matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# TODO - connect this to the identity server, if enabled # # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level. # # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001 @@ -3508,10 +3512,7 @@ matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_fed # matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}" # matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" -# matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" -# matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" -# matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" - +# TODO - adjust ma1sd stuff below, if necessary matrix_homeserver_proxy_systemd_wanted_services_list_auto: | {{ matrix_homeserver_systemd_services_list @@ -4142,8 +4143,10 @@ matrix_synapse_gid: "{{ matrix_user_gid }}" matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url: "{{ ('http://matrix-ma1sd:' + matrix_ma1sd_container_port| string) }}" + # When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself. -matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url if matrix_ma1sd_enabled else '' }}" # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" @@ -4166,6 +4169,8 @@ matrix_synapse_container_additional_networks: | ([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else []) + ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else []) + + + ([matrix_ma1sd_container_network] if (matrix_ma1sd_enabled and matrix_synapse_account_threepid_delegates_msisdn == matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url and matrix_synapse_container_network != matrix_ma1sd_container_network) else []) ) | unique }} diff --git a/roles/custom/matrix-ma1sd/defaults/main.yml b/roles/custom/matrix-ma1sd/defaults/main.yml index 2c692aa76..cbe68c625 100644 --- a/roles/custom/matrix-ma1sd/defaults/main.yml +++ b/roles/custom/matrix-ma1sd/defaults/main.yml @@ -4,6 +4,9 @@ matrix_ma1sd_enabled: true +matrix_ma1sd_scheme: https +matrix_ma1sd_hostname: '' + matrix_ma1sd_container_image_self_build: false matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" @@ -43,14 +46,65 @@ matrix_ma1sd_systemd_wanted_services_list_auto: [] matrix_ma1sd_systemd_wanted_services_list_custom: [] # The base container network. It will be auto-created by this role if it doesn't exist already. -matrix_ma1sd_container_network: "{{ matrix_docker_network }}" +matrix_ma1sd_container_network: "" # A list of additional container networks that matrix-ma1sd would be connected to. # The playbook does not create these networks, so make sure they already exist. # # Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance) +matrix_ma1sd_container_additional_networks: "{{ matrix_ma1sd_container_additional_networks_auto + matrix_ma1sd_container_additional_networks_custom }}" +matrix_ma1sd_container_additional_networks_auto: [] +matrix_ma1sd_container_additional_networks_custom: [] + +# matrix_ma1sd_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. # -matrix_ma1sd_container_additional_networks: [] +# To inject your own other container labels, see `matrix_ma1sd_container_labels_additional_labels`. +matrix_ma1sd_container_labels_traefik_enabled: true +matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_ma1sd_container_network }}" +matrix_ma1sd_container_labels_traefik_entrypoints: web-secure +matrix_ma1sd_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls whether labels will be added that expose ma1sd's /_matrix/identity endpoints +matrix_ma1sd_container_labels_matrix_identity_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}" +matrix_ma1sd_container_labels_matrix_identity_hostname: "{{ matrix_ma1sd_hostname }}" +matrix_ma1sd_container_labels_matrix_identity_path_prefix: "/_matrix/identity" +matrix_ma1sd_container_labels_matrix_identity_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_identity_hostname }}`) && PathPrefix(`{{ matrix_ma1sd_container_labels_matrix_identity_path_prefix }}`)" +matrix_ma1sd_container_labels_matrix_identity_traefik_priority: 0 +matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}" +matrix_ma1sd_container_labels_matrix_identity_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints != 'web' }}" +matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/user_directory/search endpoint +matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}" +matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname: "{{ matrix_ma1sd_hostname }}" +matrix_ma1sd_container_labels_matrix_client_user_directory_search_path: "/_matrix/client/{version:(r0|v3)}/user_directory/search" +matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_path }}`)" +matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority: 0 +matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}" +matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints != 'web' }}" +matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/register/TYPE/requestToken endpoints +# This allows another service to control registrations involving 3PIDs. +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md +matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled: false +matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname: "{{ matrix_ma1sd_hostname }}" +matrix_ma1sd_container_labels_matrix_client_3pid_registration_path: "/_matrix/client/{version:(r0|v3)}/register/{type:(email|msisdn)}/requestToken" +matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_path }}`)" +matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority: 0 +matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}" +matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints != 'web' }}" +matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# matrix_ma1sd_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_ma1sd_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_ma1sd_container_labels_additional_labels: '' # Your identity server is private by default. # To ensure maximum discovery, you can make your identity server @@ -59,7 +113,6 @@ matrix_ma1sd_container_additional_networks: [] # Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups matrix_ma1sd_matrixorg_forwarding_enabled: false - # Database-related configuration fields. # # To use SQLite, stick to these defaults. @@ -130,6 +183,7 @@ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: # Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" +matrix_ma1sd_self_check_endpoint_url: "{{ matrix_ma1sd_scheme }}://{{ matrix_ma1sd_hostname }}/_matrix/identity/api/v1" # Controls whether the self-check feature should validate SSL certificates. matrix_ma1sd_self_check_validate_certificates: true diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index a9c4ec8b0..a24ae8d6c 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -20,6 +20,7 @@ - tags: - self-check + - self-check-ma1sd block: - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" diff --git a/roles/custom/matrix-ma1sd/tasks/self_check.yml b/roles/custom/matrix-ma1sd/tasks/self_check.yml index 66765727e..7ce57e1ec 100644 --- a/roles/custom/matrix-ma1sd/tasks/self_check.yml +++ b/roles/custom/matrix-ma1sd/tasks/self_check.yml @@ -1,11 +1,8 @@ --- -- ansible.builtin.set_fact: - ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - - name: Check ma1sd Identity Service ansible.builtin.uri: - url: "{{ ma1sd_url_endpoint_public }}" + url: "{{ matrix_ma1sd_self_check_endpoint_url }}" follow_redirects: none validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" check_mode: false @@ -16,9 +13,9 @@ - name: Fail if ma1sd Identity Service not working ansible.builtin.fail: - msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" + msg: "Failed checking ma1sd is up at `{{ matrix_ma1sd_hostname }}` (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" when: "result_ma1sd.failed or 'json' not in result_ma1sd" - name: Report working ma1sd Identity Service ansible.builtin.debug: - msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" + msg: "ma1sd at `{{ matrix_ma1sd_hostname }}` is working (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`)" diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index 6e87659b5..4a408b468 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -122,6 +122,21 @@ - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value" +- name: Ensure ma1sd support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_ma1sd_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - labels + +- name: Ensure ma1sd container network is created + community.general.docker_network: + name: "{{ matrix_ma1sd_container_network }}" + driver: bridge + - name: Ensure matrix-ma1sd.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" diff --git a/roles/custom/matrix-ma1sd/tasks/validate_config.yml b/roles/custom/matrix-ma1sd/tasks/validate_config.yml index b490a5c62..e65fd4e56 100644 --- a/roles/custom/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/custom/matrix-ma1sd/tasks/validate_config.yml @@ -45,9 +45,15 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: + - {'name': 'matrix_ma1sd_hostname', when: true} - {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true} - {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true} - {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"} + - {'name': 'matrix_ma1sd_container_network', when: true} + - {'name': 'matrix_ma1sd_container_labels_matrix_identity_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"} + - {'name': 'matrix_ma1sd_container_labels_matrix_identity_path_prefix', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"} + - {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"} + - {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"} - name: (Deprecation) Catch and report renamed ma1sd variables ansible.builtin.fail: diff --git a/roles/custom/matrix-ma1sd/templates/labels.j2 b/roles/custom/matrix-ma1sd/templates/labels.j2 new file mode 100644 index 000000000..871d13406 --- /dev/null +++ b/roles/custom/matrix-ma1sd/templates/labels.j2 @@ -0,0 +1,99 @@ +{% if matrix_ma1sd_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_ma1sd_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_ma1sd_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-ma1sd.loadbalancer.server.port={{ matrix_ma1sd_container_port }} + +{# + Matrix Identity APIs (/_matrix/identity) +#} +{% if matrix_ma1sd_container_labels_matrix_identity_enabled %} +traefik.http.routers.matrix-ma1sd-matrix-identity.rule={{ matrix_ma1sd_container_labels_matrix_identity_traefik_rule }} + +{% if matrix_ma1sd_container_labels_matrix_identity_traefik_priority | int > 0 %} +traefik.http.routers.matrix-ma1sd-matrix-identity.priority={{ matrix_ma1sd_container_labels_matrix_identity_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-ma1sd-matrix-identity.service=matrix-ma1sd +traefik.http.routers.matrix-ma1sd-matrix-identity.entrypoints={{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints }} + +traefik.http.routers.matrix-ma1sd-matrix-identity.tls={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls | to_json }} +{% if matrix_ma1sd_container_labels_matrix_identity_traefik_tls %} +traefik.http.routers.matrix-ma1sd-matrix-identity.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver }} +{% endif %} +{% endif %} +{# + /Matrix Identity APIs (/_matrix/identity) +#} + + +{# + Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search) +#} +{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %} +{# + ma1sd only supports /_matrix/client/r0/user_directory/search, + while we potentially handle /_matrix/client/v3/user_directory/search as well, + so we need to transparently reroute. +#} +traefik.http.middlewares.matrix-ma1sd-matrix-client-user-directory-search-replacepath.replacepath.path=/_matrix/client/r0/user_directory/search + +traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.rule={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule }} + +traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.middlewares=matrix-ma1sd-matrix-client-user-directory-search-replacepath + +{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority | int > 0 %} +traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.priority={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.service=matrix-ma1sd +traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints }} + +traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls | to_json }} +{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls %} +traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver }} +{% endif %} +{% endif %} +{# + /Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search) +#} + + +{# + Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken) +#} +{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %} +{# + ma1sd only supports /_matrix/client/r0/user_directory/search, + while we potentially handle /_matrix/client/v3/user_directory/search as well, + so we need to transparently reroute. +#} +traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.regex=^/_matrix/client/([^/]+)/register/([^/]+)/requestToken +traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.replacement=/_matrix/client/r0/register/${2}/requestToken + +traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.rule={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule }} + +traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.middlewares=matrix-ma1sd-matrix-client-3pid-registration-replacepathregex + +{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority | int > 0 %} +traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.priority={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.service=matrix-ma1sd +traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints }} + +traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls | to_json }} +{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls %} +traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver }} +{% endif %} +{% endif %} +{# + /Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken) +#} + +{% endif %} + +{{ matrix_ma1sd_container_labels_additional_labels }} diff --git a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index b5b381f89..36e6a353b 100644 --- a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -35,6 +35,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% endif %} --mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \ --mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \ + --label-file={{ matrix_ma1sd_base_path }}/labels \ {% for arg in matrix_ma1sd_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index def6c6360..e3ffe3416 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -228,37 +228,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" -# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). -# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. -# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" - -# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search). -# This is to assist identity servers which only handle the r0 endpoints. -# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. -# If this is disabled, API requests will be forwarded as-is, without any URL rewriting. -matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true - -# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). -# This allows another service to control registrations involving 3PIDs. -# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md -matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" - -# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken). -# This is to assist identity servers which only handle the r0 endpoints. -# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. -# If this is disabled, API requests will be forwarded as-is, without any URL rewriting. -matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true - -# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" - # Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_media_repo_enabled: false matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 7158708c3..d364b4782 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -51,24 +51,6 @@ } {% endif %} - {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} - location ^~ /_matrix/identity { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - } - {% endif %} - {% if matrix_nginx_proxy_proxy_media_repo_enabled %} # Redirect all media endpoints to the media-repo location ^~ /_matrix/media { @@ -162,53 +144,6 @@ } {% endif %} - {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} - location ~ ^/_matrix/client/(r0|v3)/user_directory/search { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; - {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %} - rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; - {% endif %} - proxy_pass http://$backend; - {% else %} - {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %} - rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; - {% endif %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } - {% endif %} - - {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} - location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; - {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %} - rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; - {% endif %} - proxy_pass http://$backend; - {% else %} - {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %} - rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; - {% endif %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - } - {% endif %} - {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index bc54026b2..a077d46a9 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -94,6 +94,17 @@ - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': ''} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: